Under the DPA98, data always had to be processed lawfully and fairly, under the GDPR this was uplifted to Lawfully, Fairly and Transparently.
This means that organisations have a legal obligation to be open and honest about what personal data they process, for what purpose, under what lawful basis, how long they keep it, who it’s shared with, and a host of other things.
The right to be informed is covered by Art 12- 14 of the GDPR, and guidance has been provided by the A29WP via their Transparency guidelines and summarised by the ICO on their site.
The most common way to provide the info is by placing a Privacy Notice (N.B. A Notice is external, a Policy is Internal) on your website. Don’t bury the privacy notice 5 pages in, it’s not a good look to try to hide it – a good place to put it is in the footer of each page of the website so it’s easy to find. You don’t have to do the wall of words though, you could use infographics, videos, or any other method to tell people what you do with their info. If you aim your services at children, it’s especially important to make sure they understand things.
If you’re going to use a template to get you started, that’s fine, but make sure it’s properly tailored to cover the processing your unique business does, and not some imaginary business. Use conversational language, and be honest. Imagine you’re telling someone what you do, and what their rights are as you have a cuppa together in a café. The ICO provide a very simple template for micro businesses on their website – it’s worth looking it up if you’re desperate for a starting point.
Also, it’s best if the team or person drafting the privacy notice, understand the basic basics of what needs to be included from a legal point of view. That doesn’t mean that lawyers need to write it, but if your marketing department are tasked with writing it, make sure that someone cross references to what’s needed. Also check that it doesn’t have statements along the lines of ‘By using this website, you agree to your processing’. Ouch.
Your Privacy Notice is there to serve
It’s not part of the T&Cs of service and is never agreed to, consented to, accepted by check-box or otherwise.
It’s also worth mentioning that a privacy notice is an output of other record keeping work, and this is often overlooked. Art 30 / Records of Processing Activity is a must have, regardless of the number of employees you have. If you don’t have your data mapped out with your lawful bases, how can you possibly describe what you do and why, to the people served by the privacy notice? It would be a bit like trying to build a house without foundations, and would result in the same ending.
I’ve heard it said by one company that they don’t need a privacy notice because they are business to business only.
Unfortunately this isn’t correct. An email that is name.surname@organisation is still personal data. An email that is info@organisation could also easily be personal data is there is only one director in a Limited Company.
There is a lot more that could be said about privacy notices, and I could provide some humdinging examples of how to do it badly, as well as some pretty good ones too, but this isn’t the place for that.
If you feel like you need specific advice, get in contact with me at [email protected] and I will be happy to discuss requirements.